A sophisticated malware campaign has been uncovered that leverages a popular AI-powered productivity application to distribute a dangerous browser extension known as the Mltab plugin. This operation, active since at least May 2024, has already compromised nearly one million systems across China and continues to pose a significant cybersecurity threat.

How the Attack Works

Security researchers from the RedDrip Team at QiAnXin Technology’s Threat Intelligence Center traced the infection chain to a compromised version of Office Assistant, widely used productivity software in China. The attackers inserted malicious downloader logic into the application’s executable (OfficeAid.Main.exe), which then retrieves and installs additional harmful components.

Once the malicious Office Assistant process runs, it communicates with a command-and-control (C2) server controlled by the attackers. This server orchestrates the deployment of the final payload—the Mltab browser plugin—by loading additional DLL files that set up persistence mechanisms on the victim’s system.

What the Mltab Plugin Does

Disguised under names like “MadaoL Newtab”, the Mltab browser extension appears benign but performs a range of harmful activities once installed:

• Data Collection: It systematically gathers detailed browsing data, including browsing patterns, visited sites, and general user behavior.
• Traffic Hijacking: The plugin intercepts and redirects browser traffic to attacker-controlled domains, potentially exposing users to further malicious content or scams.
• Injecting Tracking Scripts: Key parts of the plugin’s code inject scripts into web pages, enabling continuous monitoring and activity logging.
• Malicious UI Elements: It also adds deceptive features such as a fake context-menu option (e.g., “Search with Baidu”) that actually sends users to unwanted promotional links.

The extension has been installed over 210,000 times and—alarming for cybersecurity professionals—it was still available on the official Microsoft Edge Add-ons Store at the time of discovery, underscoring the persistence and stealth of the campaign.

Threat Landscape and Impact

The malware targets a broad range of browsers, including:

• Microsoft Edge
• Google Chrome
• QQ Browser
• Sogou Browser
• Lenovo Browser
• 2345 Browser

The attackers use legitimate distribution and trust mechanisms—such as digitally signed software components—to deliver their payload. This approach helps them evade traditional security filters and trick users into installing dangerous software unknowingly.

Detection and Mitigation

Detection and mitigation are possible with advanced endpoint protection platforms. Solutions like QiAnXin’s threat intelligence tools can identify and remove Mltab-related components. These detection systems leverage behavior analysis and signature updates to track and eliminate the malicious plugin and its download mechanisms.

Advice for Users

Users, especially those utilizing Office Assistant or similar productivity tools, should:

• Confirm their installed version and immediately remove any suspicious browser extensions like Mltab or MadaoL Newtab.
• Update software only from verified sources to avoid trojanized installers with embedded malware.
• Use reliable antivirus and anti-malware solutions capable of detecting complex threats delivered through seemingly legitimate software.